{"id":"PYSEC-2026-282","summary":"APScheduler's JSONSerializer and CBORSerializer are vulnerable to Remote Code Execution (RCE) via Insecure Deserialization","details":"The JSONSerializer and CBORSerializer in APScheduler (all versions including 3.10.x and 4.0.0a5) are vulnerable to Remote Code Execution (RCE) via Insecure Deserialization. The unmarshal_object function allows for arbitrary class instantiation and state injection by dynamically importing modules and calling __setstate__ on any class available in the Python environment. An attacker can exploit this by submitting a specially crafted JSON or CBOR payload to an application using these serializers","aliases":["CVE-2026-31072","GHSA-9cfw-f3f9-7mm7"],"modified":"2026-07-01T20:22:49.421836Z","published":"2026-06-29T11:50:49.946441Z","references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31072"},{"type":"WEB","url":"https://gist.github.com/nedlir/11fb77f35a59cbba73392a086b02a9c6"},{"type":"PACKAGE","url":"https://github.com/agronholm/apscheduler"},{"type":"PACKAGE","url":"https://pypi.org/project/apscheduler"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-9cfw-f3f9-7mm7"}],"affected":[{"package":{"name":"apscheduler","ecosystem":"PyPI","purl":"pkg:pypi/apscheduler"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.0.0a1"},{"last_affected":"4.0.0a6"}]}],"versions":["4.0.0a1","4.0.0a2","4.0.0a3","4.0.0a4","4.0.0a5","4.0.0a6"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/apscheduler/PYSEC-2026-282.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}